Security Tips for Smartphones

Volume 39Number 2

By
Sharon D. Nelson & John W. Simek

About the Authors

Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises Inc.John W. Simek is the vice president of Sensei Enterprises Inc. He is an EnCase Certified Examiner (EnCE) and a nationally known testifying expert in the area of computer forensics. Together the authors provide legal technology, information security and digital forensics from their Fairfax, VA-based firm.

The age of the pocket computer is upon us. Smartphones are no more than small computers that happen to make phone calls. According to a Nielsen report, more than 50 percent of U.S. mobile subscribers now own a smartphone. Lawyers, for the first time in memory, are at the technology forefront, with 89 percent of them owning smartphones. Smartphones are extremely powerful devices, capable of storing contacts, calendar entries, email communications, electronic files, voice messages and a host of additional confidential client information. As an attorney, you have an ethical obligation to protect the client data that is stored on your smartphone. We’re here to give you some security tips for protecting the data and some easy measures designed to avoid having the data compromised.

1. Encryption

Such a simple word, but most attorneys are petrified at the thought of having to encrypt anything, and avoid it like the plague. Encryption is simple and very easy to accomplish on a lot of smartphones. A BlackBerry is built with encryption as part of the base design. Enabling Content Protection on the BlackBerry will encrypt the device. If you use BlackBerry Enterprise Server (BES), you enforce encryption as part of the security policy. Just setting a personal identification number (PIN) on an iPhone enables encryption, and many Android devices have encryption capabilities as part of the operating system installation. Bottom line: Enable encryption and you’ll go a long way toward protecting the data.

2. Encrypt Expansion Memory

Besides the main memory, be sure to encrypt any memory expansion cards that may be used. IPhone users don’t have to worry about this since you can’t expand an iPhone, but others need to protect any data that may be saved to the card.

3. Lock Code

Be sure to set a lock code for your smartphone. This will help prevent unauthorized access to the information. Set a code that is longer than the typical four-digit PIN to make it more difficult to crack the number. IPhone users must turn off Simple Passcode to enter more than four digits. Why? Because there is software available that can “brute force” an iOS four-digit PIN in several minutes.

4. Inactivity Timer

Set a fairly short inactivity timer for your smartphone. This will automatically lock the phone if it hasn’t been used for a period of time. Don’t be tempted to set your timer at five or more minutes. You should configure the value to be no more than two minutes. Many attorneys complain that the phone will lock too quickly with such a short value, but larger numbers leave you exposed should you leave your phone in the cab (as one of us has done).

5. Location Services

Turn on the location services of your smartphone to facilitate finding the phone if it is ever lost. IPhone users should enable the Find My iPhone feature through iCloud. The ability to locate your smartphone must be turned on before you lose your phone, something many lawyers seem unaware of. Android users can install the free Lookout application, which has device location capabilities. Another advantage of the location services is that you can send a message to the device or have the smartphone play an alert sound even if the sound is turned off or the phone is in vibrate mode.

6. Remote Wipe

Make sure you have the ability to remotely wipe the phone should you lose it. This is different than being able to locate it. Remote wipe means you can remotely send a command to wipe the information from the phone. This is a built-in feature for BlackBerry devices. Remote wipe is part of the Find My iPhone feature for iPhones, and it is also included with Lookout for Android phones.

7. Security Software

Security software for mobile devices is no longer optional as malware writers are now targeting smartphones in a major way. All of the major security software vendors have products for the popular manufacturers and models of smartphones. As we’ve already mentioned, Lookout is a great free product for Android devices. IPhone users pretty much have to trust Apple since they don’t allow any third-party access to the core of the operating system. There are security products for the iPhone but they are not real-time scanners such as those available for the other smartphone operating systems.

8. URLs and QR Codes

This security tip doesn’t require any specialized software or hardware device. Our advice here is not to click on any URL that you receive in a message (email or text) with which you are not familiar. Also, we’re not big fans of any shortened URL (e.g., TinyURL or bitly) because you really don’t know where it will take you. The same goes for QR codes. The QR code is a picture-type barcode, and you really don’t have any clue where the code will take you. Think of it as the Wild West of the Internet.

9. Wireless Networks

Many smartphone users will connect to wireless networks to avoid the data charges associated with accessing the 3G or 4G data network of a cellular provider. Using wireless networks is not a problem, but make sure you are connecting to a secure wireless network. Many of the free wireless networks available at businesses (McDonald’s, Starbucks, etc.) are open networks with no encryption. This means that someone else could be monitoring the network traffic and capturing your data transmissions. Only use secured wireless networks. WPA2-encrypted wireless networks are the only ones we use. WPA encryption was cracked long ago and WEP encryption can be broken in a matter of minutes.

10. Update Your Device

Always run the latest version of the operating system for your smartphone. Just like your computer, vendors provide updates for the operating system to patch security vulnerabilities and add additional features. IPhone users can get the latest updates through iTunes. Other users typically get the updates directly from their cellular provider. You may not have a choice when it comes to updates, as the carrier may force it to your phone. There doesn’t seem to be any consistency with operating system updates. We’ve had Windows Mobile phones for which we had to manually download updates from the carrier’s website. Our BlackBerry smartphone was updated by checking for updates from the phone, which would download them directly from RIM (now BlackBerry). Finally, our current Android phone has updates pushed to it automatically from our cellular provider.

11. Don’t Jailbreak or Root

Do not attempt to bypass the security or normal operation of the smartphone by “jailbreaking” or “rooting” the phone. Bypassing the security certainly makes you vulnerable to potential compromise. And be mindful that, as of January, the Library of Congress made it illegal to unlock cell phones, although jailbreaking is still legal. Go figure.

12. Application Installations

Be wary of any applications from unknown sources. The applications available through iTunes are pretty safe, but there have been several instances where malware slipped past Apple’s review process. Google has been criticized for letting malware-laden applications “camp out” in its store, but it has improved policing application safety through Bouncer. Bouncer still isn’t bulletproof, and some malware is still slipping into Google Play. BlackBerry seems to be pretty clear of malware apps, but that may be because there is so little interest in third-party apps for the BlackBerry. Just make sure you review what others say about an application before you load it, which should help you stay out of trouble.

13. Terms of Service

It still amazes us that lawyers tend not to read the terms of service. They will read contracts for clients but not for their own use. The terms of service will tell you what you are agreeing to, which in turn tells you what the application wants to do. The app may want to record your phone number and location. It may have the ability to actually make a phone call without your involvement. Some apps even say they will access your contacts. Reading the terms of service could keep you out of trouble by protecting access to your data when you realize all the information that the developer wants to access. We are repeatedly mystified by some of the functions that apps demand.

14. Turn Off Unneeded Interfaces

This will also help conserve battery life. Turn off anything you don’t need or use at the moment. As an example, shut off the Bluetooth if you are not using it. You should also shut off the Wi-Fi radio if you are not connected to the Internet.

15. Mobile Device Manager

You may or may not need a Mobile Device Manager (MDM) to enforce policies on the smartphone. The free BES Express for BlackBerry devices is very popular among law firms. There are other MDMs, but they tend to be implemented in larger environments. Whether you purchase an MDM or not, something should be in place to enforce and control certain aspects of the smartphone. Items such as enforcement of a password, password complexity and length, encryption, inactivity timeout, etc., should all be required items, and the user should have no option to bypass them. The ActiveSync policies available with a Microsoft Exchange server should be sufficient for most small firms.

16. Backup

Back up your data and applications. ITunes (not iCloud) should be used for the backup of iPhones. This is because iTunes provides a local backup and because the iCloud’s terms of service are not security-friendly. BlackBerrys can be backed up using the BlackBerry Desktop Manager. Typically, the manufacturer of the smartphone will provide software to be used for backup. If possible, you should also encrypt the backup. There are also third-party applications that can be used for backup. Why back up? Because this is another layer of protection should you misplace your smartphone and have to remotely wipe it.

Conclusion

We sometimes hear lawyers say that they don’t store client data on their smartphones. In many cases, data is written to your phone without your knowledge. Just opening and reviewing a document may result in the document being written to the phone. This is particularly true of iPhones. No matter what phone you use, be conscious of the changes to the ABA Model Rules of Professional Conduct. You are now required, under those rules, to use technology competently and to assess the risk of using any particular technology and the sensitivity of the data you are handling against the expense and trouble of measures to secure the data. If you follow our 16 tips, you’ll be far more secure than the average lawyer and you will have adopted reasonable precautions for protecting client data—without breaking the bank.

CONNECT

WE WANT TO HEAR FROM YOU! Send your comments, questions and articles for consideration to the editors at lawpracticemagazine@americanbar.org. Be sure to find us on Facebook and follow us on Twitter at @lawpracticetips.

GET THE MOBILE EDITION LPM members and print subscribers can read the magazine on the go with Law Practice App. Not an LPM member or Law Practice print magazine subscriber? You too can enjoy the Law Practice App simply by subscribing to a single issue ($4.99) or an annual subscription ($19.99). Don't miss out!

GET THE DIGITAL EDITION of Law Practice magazine. LPM members can access interactive, digital editions of the magazine. Simply visit lawpractice.org/magazine, find the issue you'd like to view, and select the "electronic version" option.

DISCOVER AN EXCELLENT BOOK. At lawpractice.org you can search for books and other resources on marketing, management, technology, finance and more. Order online or call (800) 285-2221.

JOIN THE ABA LPM SECTION. ABA members can join the LPM Section and receive all the benefits of membership, including Law Practice magazine, for only $50 annually. Call (800) 285-2221 or go to lawpractice.org to join.

SUBSCRIBE TO LAW PRACTICE. Not a member of the ABA or LPM Section but want to get our magazine? No problem. You can subscribe to Law Practice ($64 for six issues) by calling (800) 285-2221, or email subscriptionsmgr@americanbar.org.